[openssl-commits] [openssl] master update

Thu, 15 Mar 2018 02:10:06 -0700 

The branch master has been updated
       via  16ff13427f00753a76672317143753b83cea7982 (commit)
      from  5cd42251bae72ab73542019342362063e882e66f (commit)


- Log -----------------------------------------------------------------
commit 16ff13427f00753a76672317143753b83cea7982
Author: Matt Caswell <[email protected]>
Date:   Wed Mar 14 17:51:18 2018 +0000

    Only update the server session cache when the session is ready
    
    In TLSv1.3 the session is not ready until after the end of the handshake
    when we are constructing the NewSessionTicket.
    
    Reviewed-by: Rich Salz <[email protected]>
    (Merged from https://github.com/openssl/openssl/pull/5621)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/statem_lib.c  |  7 ++++++-
 ssl/statem/statem_srvr.c | 14 ++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 82a7119..a82079c 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1043,7 +1043,12 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, 
int clearbufs, int stop)
         ssl3_cleanup_key_block(s);
 
         if (s->server) {
-            ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
+            /*
+             * In TLSv1.3 we update the cache as part of constructing the
+             * NewSessionTicket
+             */
+            if (!SSL_IS_TLS13(s))
+                ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
 
             /* N.B. s->ctx may not equal s->session_ctx */
             CRYPTO_atomic_add(&s->ctx->stats.sess_accept_good, 1, &discard,
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 041089c..50be825 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3889,12 +3889,14 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET 
*pkt)
                  SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
         goto err;
     }
-    if (SSL_IS_TLS13(s)
-            && !tls_construct_extensions(s, pkt,
-                                         SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
-                                         NULL, 0)) {
-        /* SSLfatal() already called */
-        goto err;
+    if (SSL_IS_TLS13(s)) {
+        ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
+        if (!tls_construct_extensions(s, pkt,
+                                      SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
+                                      NULL, 0)) {
+            /* SSLfatal() already called */
+            goto err;
+        }
     }
     EVP_CIPHER_CTX_free(ctx);
     HMAC_CTX_free(hctx);
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to